---
layout: docs
page_title: Configure the Vault ServiceNow Credential Resolver
description: Configurable properties for the Vault ServiceNow Credential Resolver.
---

# Configure the Vault ServiceNow Credential Resolver

## MID server properties

The following [properties] are supported by the Vault Credential Resolver:

- `mid.external_credentials.vault.address` `(string: "")` - Address of Vault Agent as resolveable by the MID server.
  For example, if Vault Agent is on the same server as the MID server it could be `https://127.0.0.1:8200`.

- `mid.external_credentials.vault.ca` `(string: "")` - The CA certificate to trust for TLS in PEM format. If unset,
  the system's trusted CAs will be used.

- `mid.external_credentials.vault.tls_skip_verify` `(string: "")` - When set to true, skips verification of the Vault server
  TLS certificiate. Setting this to true is not recommended for production.

[properties]: https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/product/mid-server/reference/r_MIDServerProperties.html#t_SetMIDServerProperties

## Configuring discovery credentials

To consume Vault credentials from your MID server, you will need to:

* Create a secret in Vault
* Configure the resolver to use that secret

### Creating a secret in Vault

The credential resolver supports reading credentials from the following secret engines:

* [Active Directory](/vault/docs/secrets/ad)
* [AD/OpenLDAP](/vault/docs/secrets/ldap)
* [AWS](/vault/docs/secrets/aws)
* [KV v1](/vault/docs/secrets/kv/kv-v1)
* [KV v2](/vault/docs/secrets/kv/kv-v2)

When creating KV secrets, you must use the following keys for each component
to ensure it is correctly mapped to ServiceNow's credential fields:

Key         | Description                            | Supported aliases
------------|----------------------------------------|------------------
username    | The username                           | access_key
password    | The password                           | secret_key, current_password
private_key | The private SSH key                    |
passphrase  | The passphrase for the private SSH key |

Most ServiceNow credential types will expect at least a username and either
a password or a private key. To help surface errors early, the credential
resolver validates that a username and password are present for:

* aws
* basic
* jdbc
* jms
* ssh_password
* vmware
* windows

The credential resolver expects the following types to specify at least
a username and a private key:

* api_key
* cfg_chef_credentials
* infoblox
* sn_cfg_ansible
* sn_disco_certmgmt_certificate_ca
* ssh_private_key

For SNMPv3 credentials, the credential resolver can accept up to five values:

* username
* auth-protocol
* auth-key
* privacy-protocol
* privacy-key

Depending on the configuration of the SNMP endpoint, the username at least will always be required. See below for different SNMP endpoint configurations:

Level         | Authentication | Encryption | What Happens
--------------|----------------|------------|------------------------
noAuthNoPriv  | Username       | None       | Username match for auth
authNoPriv    | MD5 or SHA     | None       | Auth based on HMAC-MD5 or HMAC-SHA algorithms
authPriv      | MD5 or SHA     | DES        | Auth based on HMAC-MD5 or HMAC-SHA algorithms; provides DES 56-bit encryption based on (CBC)-DES (DES-56) 

### Configuring the resolver to use a secret

<ImageConfig hideBorder caption="Vault credential resolver">

![Partial screenshot of the ServiceNow UI showing the search dialog for adding a Vault configuration by name](/img/service-now/vault-credential-resolver-fqcn.png)

</ImageConfig>

In the ServiceNow UI:

1. Navigate to "Discovery - Credentials &rarr; New".
1. Choose a type from the list.
1. Select "External credential store".
1. Provide a fully qualified collection name (FQCN):
    - **Xanadu (Q4-2024) or newer**:  use `com.snc.discovery.CredentialResolver`
    - **Versions prior to Xanadu (Q4-2024)**: leave blank or use "None"
1. Provide a meaningful name for the resolver.
1. Set "Credential ID" to the
   [ReadSecretVersion endpoint](/vault/api-docs/secret/kv/kv-v2#read-secret-version)
   of your secrets plugin and credential. For example, the endpoint
   for a secret stored on the path `ssh` under a KV v2 secret engine mounted at
   `secret` is `/secret/data/ssh`.
1. Click "Test credential" then select a MID server and target to test your
   configuration.
